* OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-#define RCSID "$Id: auth.c,v 1.90 2002/12/04 23:03:32 paulus Exp $"
+#define RCSID "$Id: auth.c,v 1.96 2004/10/24 23:26:19 paulus Exp $"
#include <stdio.h>
#include <stddef.h>
#include "ecp.h"
#include "ipcp.h"
#include "upap.h"
-#include "chap.h"
+#include "chap-new.h"
#include "eap.h"
#ifdef CBCP_SUPPORT
#include "cbcp.h"
/* Hook for a plugin to get the PAP password for authenticating us */
int (*pap_passwd_hook) __P((char *user, char *passwd)) = NULL;
+/* Hook for a plugin to say if we can possibly authenticate a peer using CHAP */
+int (*chap_check_hook) __P((void)) = NULL;
+
+/* Hook for a plugin to get the CHAP password for authenticating us */
+int (*chap_passwd_hook) __P((char *user, char *passwd)) = NULL;
+
/* Hook for a plugin to say whether it is OK if the peer
refuses to authenticate. */
int (*null_auth_hook) __P((struct wordlist **paddrs,
/* get username */
if (fgets(u, MAXNAMELEN - 1, ufile) == NULL
- || fgets(p, MAXSECRETLEN - 1, ufile) == NULL){
+ || fgets(p, MAXSECRETLEN - 1, ufile) == NULL) {
+ fclose(ufile);
option_error("unable to read user login data file %s", fname);
return 0;
}
&& protp->lowerup != NULL)
(*protp->lowerup)(unit);
+ if (!auth_required && noauth_addrs != NULL)
+ set_allowed_addrs(unit, NULL, NULL);
+
if (auth_required && !(go->neg_upap || go->neg_chap || go->neg_eap)) {
/*
* We wanted the peer to authenticate itself, and it refused:
eap_authpeer(unit, our_name);
auth |= EAP_PEER;
} else if (go->neg_chap) {
- ChapAuthPeer(unit, our_name, CHAP_DIGEST(go->chap_mdtype));
+ chap_auth_peer(unit, our_name, CHAP_DIGEST(go->chap_mdtype));
auth |= CHAP_PEER;
} else if (go->neg_upap) {
upap_authpeer(unit);
eap_authwithpeer(unit, user);
auth |= EAP_WITHPEER;
} else if (ho->neg_chap) {
- ChapAuthWithPeer(unit, user, CHAP_DIGEST(ho->chap_mdtype));
+ chap_auth_with_peer(unit, user, CHAP_DIGEST(ho->chap_mdtype));
auth |= CHAP_WITHPEER;
} else if (ho->neg_upap) {
if (passwd[0] == 0) {
case PPP_CHAP:
bit = CHAP_PEER;
switch (prot_flavor) {
- case CHAP_DIGEST_MD5:
+ case CHAP_MD5:
bit |= CHAP_MD5_PEER;
break;
#ifdef CHAPMS
case PPP_CHAP:
bit = CHAP_WITHPEER;
switch (prot_flavor) {
- case CHAP_DIGEST_MD5:
+ case CHAP_MD5:
bit |= CHAP_MD5_WITHPEER;
break;
#ifdef CHAPMS
exit(1);
}
+
+ /*
+ * Early check for remote number authorization.
+ */
+ if (!auth_number()) {
+ warn("calling number %q is not authorized", remote_number);
+ exit(EXIT_CNID_AUTH_FAILED);
+ }
}
/*
if (pap_auth_hook) {
ret = (*pap_auth_hook)(user, passwd, msg, &addrs, &opts);
if (ret >= 0) {
+ /* note: set_allowed_addrs() saves opts (but not addrs):
+ don't free it! */
if (ret)
set_allowed_addrs(unit, addrs, opts);
- BZERO(passwd, sizeof(passwd));
+ else if (opts != 0)
+ free_wordlist(opts);
if (addrs != 0)
free_wordlist(addrs);
- if (opts != 0) {
- free_wordlist(opts);
- }
+ BZERO(passwd, sizeof(passwd));
return ret? UPAP_AUTHACK: UPAP_AUTHNAK;
}
}
} else {
np = getnetbyname (ptr_word);
if (np != NULL && np->n_addrtype == AF_INET) {
- a = htonl (*(u_int32_t *)np->n_net);
+ a = htonl ((u_int32_t)np->n_net);
if (ptr_mask == NULL) {
/* calculate appropriate mask for net */
ah = ntohl(a);